TNW Sites

Facebook starting to pay hackers to discover vulnerabilities

Facebook is today beginning a program that will allow them to compensate hackers that discover vulnerabilities in the site’s code, reports Computerworld. In order to be compensated, the hackers must sign up for the new whitehat hacking portal and report the issues directly to Facebook’s security team.

Facebook will begin by offering a base bounty of $500 and will be willing to pay more if the flaws discovered are major ones.

“In the past we’ve focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,” Alex Rice, Facebook’s product security lead, told Computerworld, “we’re extending that now to start paying out monetary rewards.”

In order to qualify for a bounty, Facebook says that hackers must:

Give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research

Be the first person to responsibly disclose the bug

Report a bug that could compromise the integrity or privacy of Facebook user data

Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

Facebook currently has a basic submission process that gives public recognition to hackers in the form of a thank you from the security team. Now, the portal will be upgraded to be a place where security researchers can sign up, log in and report bugs.

With a service that has as many users as Facebook, any potential vulnerabilities stand to affect hundreds of millions of people. This makes it paramount that Facebook get to the issues first and fix them before they can become a major security or privacy problem. Efforts like a cash bounty that encourages hackers to give the news to in-house security first are one of the ways that companies with user bases as big as Google and Facebook try to ensure that this happens.